Modern-day smartphones come with a whole host of proactive security features built right in. Scammers and hackers will often try to trick you into disabling or bypassing these safety measures—which is exactly what a newly discovered text phishing con tries to get you to do.
As reported by BleepingComputer, the SMS-based ruse can be recognized by the way it tries to get you to reply with a “Y” to enable a link embedded in the text. The message might also get you to copy and paste the link into Safari.
Replying to the message or moving the link elsewhere gets around a key security measure in iOS: Links from senders who are not in your contacts list are disabled by default. The feature is so critical to iPhone security that you can’t toggle it on or off—it’s a built-in part of the Messages app you can’t change.
Replying with a “Y” (or any other response) makes iOS think you know the sender, and once you restart the Messages app (as the scam text will tell you to do), the link will be tappable—and take you to some kind of fraudulent, credential-stealing website.
According to the fine folks at BleepingComputer, there has been a surge in these types of messages since the middle of last year. Texts purporting to come from courier companies and demands for road toll payments are a couple of the scam messages that have been spotted in that time.
How to keep yourself safe
Table of Contents
One member of the Lifehacker team has recently seen a message fitting this description, demanding payment for an outstanding toll bill. The familiar trick of pushing the message recipient to act quickly—in this case to avoid paying even more—is used.
It’s worth bearing in mind (and reminding family and friends) that even in the best-case scenarios, you should be very wary of following links that arrive over messaging apps and email. Ideally, you only want to respond to links you’re expecting: To track a delivery you’ve ordered, for example, or to confirm your email address for a new account.
Even messages that appear to come from trusted contacts can be faked—maybe an account impersonating them has been created, or maybe hackers have managed to get access to their accounts, for example. If you get a link from someone you know, double-check with them that it’s genuine before following it.
Note that there are two parts to scams like this: The first is getting you to follow the link, and the second is getting you to enter sensitive information (like credit card details or an account password) on a fraudulent website. Even if you are tricked into following a dodgy link, as long as you’re able to spot a spoofed webpage, you’re okay: Look for weird formatting, a URL that doesn’t make sense, and other inconsistencies.
Today’s operating systems and web browsers have plenty of built-in protection against phishing sites, so—as always—make sure all of your software is kept up-to-date to minimize the risk of getting caught out. And always avoid responding to any message from an unknown and unverified sender, whether it’s with “Y” or with “STOP” to supposedly stop future messages. That just identifies you as a potential future target.